Endpoint Policies Demo
Start course

This course will focus on how to create and configure Azure service endpoints so that PaaS services can be made available from within your virtual network. The course will also discuss service tags, their association with service endpoints, and how to use them within the scope of your Network Security Groups and Azure Firewalls to allow/deny traffic to Azure PaaS services. The course will help to put all of this information into perspective.

Learning Objectives 

  • Create service endpoints
  • Configure service endpoint policies
  • Configure service tags
  • Configure access to service endpoints

Intended Audience

  • Azure Network Engineers who will be recommending networking solutions and managing them for performance, resiliency, scale, and security
  • Azure Network Engineers who will be working with solution architects, cloud administrators, security engineers, and application developers to deliver Azure solutions


  • Subject matter expertise in planning, implementing, and maintaining Azure networking solutions, including hybrid networking, connectivity, routing, security, and private access to Azure services
  • Azure administration skills
  • Experience and knowledge of networking, hybrid connections, and network security

Hi, there. In this video, we're going to wrap up the discussion around endpoint policies by taking a look at a demonstration of one, how to create one, as well as then how to apply it to a specific subnet. So, let's jump into the Azure portal. Okay, here we are at the entrance to the Azure portal. And the first thing that I want to show you is what I have in my resource group. So, we have the vnet that we created specifically for applying service endpoints, and we showed that a couple of videos ago. I also have two storage accounts here in the same region. One called storagepoliciesyes, one called storagepoliciesno. Obviously, allowing me to show you very easily which one is going to be allowed and which one is not. 

Now in order to enforce that though, we need to create the service endpoint policy. So, we're going to do that by just clicking on 'Create', and the easiest way to do this is just type 'policy' inside of the search bar. And then right here at the bottom is service endpoint policy. We'll go ahead and click 'Create'. Now, this is pretty straightforward. There is really only two screens that we need to worry about. This first one, specifying our resource group, giving the policy a name. Obviously, we want to go ahead and keep it in the same region as everything else. And then we're going to define the definition. Now, the definition is very simple and straightforward. All we do is we choose a set of resources. 

So, we click on the 'Add a resource' button, we get this blade that pops up. And you'll see here that right now, Microsoft storage is really the only option for us. I presume that over time Microsoft will add additional service endpoint services to this list so that you can do the same thing. But then we pick a scope. Do we want to choose individual storage accounts? Do we want to choose all accounts in a particular resource group, or all accounts in the subscription? And that's going to be very dependent upon how you have set up your resources in your own subscriptions, how you've done your resource organization and management. 

In this case, I'm just going to choose 'Single account'. We're then going to choose the resource group that the storage account is in. Now, it just so happens it's in the same one. And then, we're going to pick the individual storage account. And in this case, you're always choosing storage accounts that are being allowed. So, I want to choose 'storagepoliciesyes'. Right, go ahead and click 'Add'. We now have it here listed under our individual resources. We can also add an alias for specific types of services to be allowed as well. But we're not going to be focusing on any of that in this particular course. We're just going to focus on allowing individual storage accounts. 

Now, as I said, could have very easily added a couple of storage accounts in a separate resource group and done that as well. But just to show how this is done, we'll go ahead and click 'Tags', we go ahead and click 'Review + create'. I wonder, do I want to populate here? For this policy to take effect, you will need to associate it to one or more subnets that have virtual network service endpoints. Please visit a virtual network in East US 2 and then select the subnets to which you would like to associate this policy. So, that is still a secondary step. Just the creation of the policy is not enough. So, let's go ahead and click 'Create'. And then once this is done, we will go into the virtual network and apply this to the subnet. 

And we're good. All right, let's go back and we're going to go directly into the virtual network. We're going to go into the subnets and choose 'subnetendpoints', which is the one that we used in the demonstration a couple of videos ago. Now in this particular subnet, we did set up two different service endpoints, both Microsoft keyVault as well as Microsoft storage, but we didn't apply any policies because we didn't have any. In this case though, we do now. Let me scroll down just to make this a little bit easier to see. And we're going to choose 'storageyes-policy'. All we have to do is click 'Save'. And it's that simple. We have a saved subnet with now a both service endpoint applied as well as a policy. 

Now obviously, you can be much more granular, much more descriptive if you create your own JSONs, like we saw with the example earlier, and apply your service endpoint policies, create and apply your service endpoint policies via the Azure CLI or Azure PowerShell. The Azure portal does not always provide everything that you might want to do from a feature and function perspective. 

In the next video, we'll start to take a look at service tags and how they can be leveraged within the scope of your virtual networks, as well as how they can be used with respect to service endpoints.


About the Author

Brian has been working in the Cloud space for more than a decade as both a Cloud Architect and Cloud Engineer. He has experience building Application Development, Infrastructure, and AI-based architectures using many different OSS and Non-OSS based technologies. In addition to his work at Cloud Academy, he is always trying to educate customers about how to get started in the cloud with his many blogs and videos. He is currently working as a Lead Azure Engineer in the Public Sector space.